New feature: New app assignment process in Intune with an “Excluded Groups” option

You can now more easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types. All you'll do now is assign an app to a group and then exclude that app from another group. In this blog post, we’ll talk about how you can use the new assignment process and what you will see in the console.

The new feature will replace the option of assigning apps as “Not Applicable” that we used to have in our app assignment process. You may recall that if you targeted assignment type “Available” to a large group but made it “Not Applicable” to a smaller subset of that group, the assignment type would result in the smaller group not getting the app in the Company Portal. That will no longer be the case. “Not Applicable” will not be an option in the console but will be replaced by “Excluded Groups”.

Scope of the new Exclude feature

The ability to exclude certain groups in our new assignment process will work across all assignment types and will be available on all supported platforms except Android for Work. Using “Excluded groups” in assigning apps makes it easy to meet many different scenarios you may come across. Here are two examples of that:

You’ve assigned the latest version of an app to a test group of users to make sure the app works as intended. You have also already assigned a previous version of the app to all users, but your test group is part of all users. To avoid reassigning the app twice to your test group of users, you’ll assign the app to all users, but exclude the test group.

A second example we’ve heard is when you assign an app, such as an expense LOB app to all users, but you want to exclude your executive team – say they have a different expense LOB app they use. You can do so with this new feature.

Using the Exclude option

Let’s dive into the details on how you’ll use this feature and the logic built in the admin console to keep you from having to troubleshoot any conflicting app assignments. These are four options you’ll have in the console for app assignments:

Available for Enrolled devices

Available with or without enrollment

Required

Uninstall

You will also find an “All Users” group and an “All Devices” group, which we explain later in this blog post.

When you select an assignment type from the four options we mention above, you will be prompted to include or exclude certain groups.

Note: In the process of adding groups, if an existing group has already been ‘Included’ for a given assignment type, it will show up as pre-selected and cannot be modified to be ‘Included’ in other assignment types. For example, the chart below shows the options you’ll have if you have 4 groups (A, B, C and D) that you want to assign to two different assignment types.

When you exclude groups from an assignment, you must exclude only user or only device groups, not a mixture of groups. Intune does not consider user to device association when excluding groups. Including user groups while excluding device groups is unlikely to produce the results you need, as inclusion will take precedence over exclusion. For example, if you target an iOS app to All Users and exclude All iPads, the net result will be that any user using an iPad will still get the app. If, however, you target the iOS app to All Devices and exclude All iPads, the deployment will be successful.

All Users and All Devices

With this release, we have pre-created an ‘All Users’ and an ‘All Devices’ group in the console for your convenience, with built in optimizations. We highly recommend that you use this group for targeting all users and all devices instead of any ‘All users’ or ’All devices’ groups you may have created yourself.

If you want to assign an app as “Required” to a group of users – maybe you want to have an app pushed to a group - the ‘All Users’ option will appear disabled if it has already been used for another assignment type. However, you have the option of making an app required on 'All Devices'.

Similarly, for all other assignment types, if you have already enabled the ‘All Users’ option in one assignment type, the option will show up as disabled in other assignment types.

Finally, you have a chance to view all your assignment details in a single pane. This is where you can click on a single row to edit or remove any assignment. All the changes you make to your app assignments will not be stored until you hit the “Save” button.